Note the fixed_login part. We have NO email accounts on this domain. How could it be a fixed log in?

Fixes used : Enabled most Exim security options via Cpanel/WHM. Changed domain passwords. We added log_selector = +all and host_lookup = 0.0.0.0/0 to the exim.conf. SPF, rDNS, Domainkeys installed. Tested our IP's at abuse.net to make sure we were not an open relay.

Reviewed logs to make sure no one but our IP has logged into the server, Cpanel, or domains.

The only way we can block these attempts currently is to rate limit AUTH RELAY in CSF Firewall to "0".

I know that standard line is that Exim is not setup to relay mail by default but spammers have figured out a way.